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(57) Abstract 

The present invention relates to an arrangement for improving security in a communications system, especially a telecommunications 
system, said system comprising distributed hardware and software components which interact in order to provide services to one or more 
users, and for the object of implementing this improvement this can according to the present invention be done by introducing in said 
system a generic access control. In a specific embodiment the invention suggests three types of access control especially related to access 
to the terminal in question, to the telecom system and to the requested services. 
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ARRANGEMENT FOR IMPROVING SECURITY IN A 
COMMUNICATION SYSTEM SUPPORTING USER MOBILITY 



FIELD OF THE INVENTION 

The present invention relates to an arrangement for improving security in 
a communications system, especially a telecommunications system, said 
system comprising distributed hardware and software components which 
interact in order to provide services to one or more users. 

More specifically the present invention concerns a user access control for 
distributed systems that support user mobility, i.e. users are allowed to 
move and use different terminals to access services. 

BACKGROUND OF THE INVENTION 

The Access control is the procedure used by the telecom system domain 
to ensure that the user accesses the telecom system domain in accordance 
with the restrictions specified at subscription [1]. When mobility is sup- 
ported, every user will have the possibility to use any terminals at any 
access points. The access control procedure is also intended to limit the 
access capability of a user for the protection and privacy of third party. 
The third party can be the owner of the terminal or the access point, and 
must have the right to block or deblock, suspend or reset the service de- 
livery at his terminal or access point to a user. 

When the user is allowed to move and access to the telecommunication 
services anywhere and at any time, the risk of threats increases dramati- 
cally at the same time as the mechanisms necessary to enforce security 
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become more difficult to realise. In systems supporting general mobility, 
fraudulent use of anyone's subscription can be attempted from any termi : 
nal and at any network access point. In this way the user may be exposed 
to various forms of fraud as, for example, fraudulent use of the user x s 
5 resources by unauthorised parties who manage to take up the identity of 
the user, eavesdropping, unauthorised tapping or modification of infor- 
mation exchanged during communication, and disclosure of the user's 
physical location [4]. Another security problem arises because the user is 
allowed to use any terminal and at any network access point. Such a tem- 
1 0 porary usage may conflict with the use of the terminal by the terminal 
owners, also referred to as third parties [6]. In principle, third parties 
should not suffer in terms of loss of privacy or freedom of actions as a 
result of activities by the mobile user. 

15 STATE OF THE ART 

With mobility, users may make use of any existing and available termi- 
nals and network access points. However, this does not mean that the 
terminal owner (the third party) has to accept such actions on his termi- 
20 nal. He must have the rights to restrict the usage of the terminal, e.g. only 
allowing certain users while others are prohibited from using the termi- 
nal. 

This may be done in many ways, e.g. by keeping the terminal in a se- 
25 cured place, use local password, etc., but such measures are cumbersome 
for the owner and often not secure enough. This is commonly referred as 
the protection of third parties. 
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The UPT (Universal Personal Telecommunication) [4] system comprises 
some sort of access control mechanisms but they are limited to telephony 
services and to voice terminals or telephone. 

5 Consequently, there is a need for an improved user access control for 
distributed systems supporting user mobility. 

OBJECTS OF THE INVENTION 

10 The present invention has for an objective to address any mobile distrib- 
uted system, any types of applications, i.e. voice, data, image, video, in- 
teractive, multimedia, etc., for in such mobile distributed systems to in- 
troduce an improved access control. 

15 A further object of the present invention is to introduce a generic access 
control in such distributed systems. 

Still another object of the present invention is to introduce such a generic 
access control for distributed systems supporting user mobility which can 
20 be used in mobile distributed systems comprising public or private, local- 
area or wide-area, wireline or wireless networks. 

BRIEF DISCLOSURE OF THE INVENTION 

25 The above objects are achieved in an arrangement as stated in the pream- 
ble, which primarily is characterised by introducing in said system a user 
access control, for thereby enforcing security in communications sys- 
tems. 
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In other words, the invention also suggests that this type of generic ac- 
cess control is related to personal mobility. 

Further features and advantages of the present invention will appear from 
5 the following description taken in conjunction with the enclosed draw- 
ings, as well as from the appending patent claims. 

BRIEF DISCLOSURE OF THE DRAWINGS 

10 Fig. 1 is a schematic diagram illustrating the main subject matter to 

which the present invention is related, namely by illustrating a user's ac- 
cess to the services in question. 

Fig. 2 is a schematic diagram illustrating an embodiment of the present 
15 invention for carrying out access control, especially in relation to a in- 
formation object Term_Profile. 

Fig. 3 is a schematic diagram illustrating an embodiment of a Termi- 
nal JData object. 

20 

Fig. 4 illustrates a computational model of the access control of a user for 
use of a terminal. 

Fig. 5 is a schematic diagram illustrating a user_registration object con- 
25 taining a list of allowed services. 

Fig. 6 is a schematic diagram illustrating the relation between user do- 
* main, terminal domain and telecom system domain as well as an em- 
bodiment of access control on the access to the telecom system. 
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Fig. 7 is a block diagram illustrating the relation between user domain, 
terminal domain and telecom system domain, as well as an embodiment 
of access control on the axis to the telecom system. 

5 

DETAILED DESCRIPTION OF EMBODIMENT 

As stated previously, the present invention relates to user access control 
for distributed systems that support user mobility which means that the 
10 users are allowed to move and use different terminals to access services 
available to them. 

In Fig. 1 there is illustrated a user which has access to a terminal which in 
turn is communicating with a telecom system which in turn is offering a 
1 5 plurality of services. 

Before allowing the user to access the services offered by the telecom 
system domain, he is subject to three types of access control 

20 • access control concerning the use of the current terminal (protection 
of third party) 

• access control concerning the access to the telecom system 
25 • access control concerning the use of the service requested 
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We shall successively describe the three mentioned access controls. 
Access control for use of the current terminal 

With mobility, users may make use of any existing and available termi- 
5 nals and network access points. However, this does not mean that the 
terminal owner (the third party) has to accept such actions on his termi- 
nal. He must have the rights to restrict the usage of the terminal, e.g. only 
allowing certain users while other are prohibited from using the terminal. 
Of course, there are many ways to do this locally, e.g. keep the terminal 
10 in a secure place, use local password, etc. but they are cumbersome for 
the owner and often not secure enough. This is commonly referred as the 
protection of third parties [2]. 

Let us suppose that the mobile distributed system uses agent techniques 
1 5 to support mobility and has the following objects: 

PDJUA (ProviderDomainJJserAgent) representing a user in the telecom t 
system domain. 

TA (Terminal Agent) representing a terminal in the telecom system do 
main 

20 SPA (ServiceProvider Agent) representing the telecom system in the 
terminal domain 

NAP representing a Network Access Point 
TAP representing a Terminal Access Point 

25 The information required for to carrying out the access control is con- 
tained in the Usage_Restriction component of the object Term_Profile 
(see Figure 2) which contains information about the terminal. The attrib- 
ute All_Barring is used to specify that only the terminal owner can use 
the terminal. The terminal owner may also prevent a particular user or 
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group of users from using his terminal by specifying the attribute Bar- 
ring_List or to allow only certain user by specifying an AllowanceJList. 
Modification of the Usage_restriction may be provided as an application 
where only the owner has the right to make access. The details of such an 
5 application and the specific layout of the Usage_Restriction is a matter of 
implementation and will not be carried further here. 

In order to support selective access control of the terminal, the object 
Terminal_Data which contains information required for the support ter- 
10 minal mobility such as state, NAPid, etc. may be equipped with a table of 
controlled and cleared users, called ClearedUserTable, as shown in Fig- 
ure 3. The ClearedUserTable contains the references or CIIs (Computa- 
tional Interface Identifier) of the PD_UAs whose access have been con- 
trolled. 

15 

The TA assumes the Access control Enforcement Function (AEF). The 
Access control Decision Function is allocated to an object called ADF. 
The access control Procedure for use of the terminal is shown in Figure 4. 

20 1. Every time an operation OpX arrives at the TA, the TA will check 
whether the identifier of the originating or addressed PD JUA is on the 
ClearedUserTable or not. If it is, TA will do the transfer of OpX If it is 
not, TA will initiate the access control Procedure. 

25 2. TA invokes Get(Usage_Restriction) on Term_Profile to acquire the 
access control Decision Information (ADI). 

3. The TA invokes the operation Decision_Request on the ADF object. 
The arguments of this operation are the ADI obtained from the 
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Term_Profile. The ADF makes the decision and returns the Ac- 
cess_Result to TA. The Access_result may be granted or not_granted.If 
the Access_Result is not_granted, TA returns an error message to the 
originator of the operation. 

5 

4. If the Access_Result is granted, TA invokes the operation Up- 
date(CleareduserTable,PD_UARef) on Terminal_Data to register the 
PD_UA of the newly cleared user. 



10 One way of removing entries from ClearedUserTable, i.e the identifier 
(reference) of a PDJJA, is to restart a timer each time that entry is ac- 
cessed. If the timer times out, the entry is removed. Some entries may be 
permanent, i.e. they are not associated with a timer. 

15 This type of access control is only intended to other users than the termi- 
nal owner himself. In fact, the terminal owner should never be prevented 
to use his terminal. The access to the telecom system domain and the ac- 
cess to the services are different types of access controls which are appli- 
cable to all the users including the terminal owner. 

20 

In the object Usage_Restriction it is therefore necessary to define an ad- 
ditional attribute called NoRestr_List containing the PD_UA identifiers 
of the users who are by default allowed to use the terminal. The identifier 
of the terminal owner's PDJUA is one of them. This list must not be ac- 
25 cessible to anyone but the telecom system domain operator itself, i.e. 
even not to the terminal owner. However, it may be possible to define an 
"emergency user", i.e. every call to. an emergency number will be effec- 
tual without being checked by the access control service. 
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Access control for access to the telecom system domain 
If the user is allowed to use the terminal, it does not necessarily mean 
that he is allowed to access the telecom system domain. He may be lo- 
cated outside the roaming area; his credit with the operator may have run 
5 out; the authentication mechanism used to authenticate him may also be 
too weak and he is allowed to access a limited set of services. The list of 
allowed services for a user at a terminal is hence equal to or smaller than 
the list of subscribed services. This list is a column in the 
User_Registration object in Figure 5. 

10 

The initiator of the access control service is User a . The target is the tele- 
com system domain. The AEF is assumed by the PD_UA a . The ADF is 
assumed by the object ADF. The access of the user to the telecom system 
domain may be limited by some parameters such as Roam- 

1 5 ing_Restriction, CreditJLimit, Time_Restriction, etc. which are con- 
tained in the Service_Restriction attribute of the UserJProfile object. The 
Service_Restriction attribute contains also a list of subscribed services. 
The use of the services in this list may be conditioned by the strength of 
the method used to authenticate the user, the location of the terminal, the 

20 call destination, etc. The Service_Restriction attribute may thus be quite 
complex. 

A computational model of the access control service for access to the 
telecom system domain is shown in Figure 6. 
25 The access control procedure is as follows: 

1 . The PD_UAa object invokes a Get(Service_Restriction) on the 
User_Profile to acquire the access control Decision Information (ADI). 
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2. The PDJUAa object invokes a Get(SecurityData) on the 
User_Registration object to acquire the contextual information (result 
from the authentication service). 

5 3. The PDJJA a object invokes the operation Decision__Request on the 
ADF object. The arguments of this operation are the ADI obtained from 
User_Profile and the contextual information obtained from 
User_Registration. 

1 0 The ADF may use the access control services offered by the platform or a 
security system to obtain further contextual information such as time, 
system status, etc. and the access control policy rules. The ADF makes 
the decision and returns the Access_Result to PD_UAa together with Se- 
curityData and AllowedServices. 

15 

The Access_result may be granted, not_granted or suspended. If the Ac- 
cess_Result is Suspended, depending on the access control Policy the 
terminal will be, temporarily or permanently no longer allowed to access 
the telecom system domain. 

20 

If the Access_Result is not_granted, the SecurityData returned to the 
PD^A, from the ADF will contain a NoOfRetries field increased by 
one. The NoOfRetries field indicates the number of unsuccessful access 
attempts and is used as contextual information for the next access control 
25 service. The PD__UA a will invoke the operation Set(SecurityData) on the 
Userjlegistration object to save the updated SecurityData. Depending on 
the operation which initiated the access control procedure, the PDJUA a 
will return the appropriate response containing a not_granted status. 
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When the Access_Result is granted, the AllowedServices containing an 
updated list of allowed services is returned to the PD_UA a . The PD_UAa 
will invoke the operation Set( AllowedServices) on the User_Registration 
object to save the updated AllowedServices. Depending on the operation 
5 which initiated the access control procedure, the PD_UA a will return the 
appropriate response containing a granted status. 

The user can now request the wanted service and is hence subject to the 
access control for the requested service. 

10 

Access control for the requested service 

There are two types of services, outgoing and incoming. Outgoing serv- 
ices are initiated by the user himself while incoming services are deliv- 
ered to him by other users or applications. 

15 

For outgoing services, the initiator of the access control service is Usera. 
For incoming services the initiator is some other user or application. The 
target is the requested service. The AEF is assumed by the PD_UA a . The 
ADF is assumed by the object ADF. The access of the user to the re- 

20 quested service is limited by the information contained in the Allowed- 
Service list of the User_Registration object. Another restriction originates 
from the UsageJRestriction contained in the object Terminal_Data and 
set by the terminal owner. The terminal owner may allow only one or 
both of the two service types to be performed on his terminal The attrib- 

25 utes OutBarring and InBarring of the Usage_Restriction is used to spec- 
ify, respectively, the users who are not allowed to use outgoing services 
and incoming services on the terminal (or who are allowed). 

The access control procedure is as follows: 
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1. The PD_UA a object receives a ServiceReq(ServId) from either the user 
or an application. 

5 3. The PDJUAaobject invokes a Get(UsageJlestriction) on the TA. 

3. The PD_UA a object invokes a Get(AllowedService) on the 
User_Registration. 

10 2. The PD_UA a object invokes the operation Decision_Request on the 
ADF object. The arguments of this operation are the ADI obtained from 
the User_Registration object and the TA. 

The ADF makes the decision and returns the Access_Result to PD_UA a . 
1 5 The Access__result may be granted or not_granted. Depending on the op- 
eration which initiated the access control procedure, the PD_UA a will 
return the appropriate response to the requester. The access control on the 
requested service is shown in Figure 7. 

20 MERITS OF THE INVENTION 

This invention has high level of flexibility in the sense that it can be used 
in different mobile distributed systems, public or private, local-area or 
wide-area, wireline or wireless. 

25 

It is a complete access control in the sense that it contains all the three 
types of access control. 

Important features of the invention may be listed as follows: 
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1 : A user access control is introduced for distributed systems that sup- 
ports personal mobility. 

5 2: Such a user access control consists of access control for the use of the 
terminal, access control to the telecom system and access control to the 
requested services. 

REFERENCES 

10 

1 . ISO/IEC. Information technology - Open System INterconnection - 
security frameworks in Open Systems: Part 1: Access Control, Jun 93 

2. ETSI. NA:UPT: Service Requirements on protection of third 
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tional Telecommunication Union-Telecommunication Stan- 

20 dardization Sector, (Version 10) Jan 94. 
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Patent claims 

1 . Arrangement for improving security in a communications system, 
especially a telecommunications system, said system comprising distrib- 
5 uted hardware and software components which interact in order to pro- 
vide services to one or more users, 

characterized by introducing in said a generic access control 
therein for thereby enforcing security. 

10 2. Arrangement as claimed in claim 1, 

characterized 'in that said generic access control is related to 
personal mobility. 

3. Arrangement as claimed in claim 1 or 2, 

15 characterized in that said generic access control is introduced 
in any Open Distributed Processing (ODP) system and/or any common 
Request Broker Architecture (CORBA) system, or similar. 

4. Arrangement as claimed in any of the preceding claims, 

20 characterized in that said generic access control is introduced 
in any mobile distribution system, offering any type of applications, i.e. 
voice, data, image, video, interactive, multimedia, etc. 

5. Arrangement as claimed in any of the preceding claims, 

25 characterized in that before any user is allowed to access the 
services offered by the related telecom system domain, the user will be 
subjected to several types of access controls. 

6. Arrangement as claimed in claim 5, 
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characterized in that said access control preferably comprise 
access control for the use of the terminal, access control to the telecom 
system and access control to the requested services. 

5 7. Arrangement as claimed in any of the preceding claims, 

characterized in that the information required for carrying out 
said generic access control is contained in a Usage Restriction compo- 
nent of a Term Profile object containing information about the terminal 
in question. 

10 

8. Arrangement as claimed in claim 7, 

characterized by a Terminal Data object containing information 
required or supporting terminal mobility, for example state, NAPid 
(Network Access Point id), etc., said object also comprising a table of 
1 5 controlled and cleared users. 

9. . Arrangement as claimed in claim 7 or 8, 

characterized in that said Term Profile object and said Termi- 
nal Data object which are found in the telecom system domain, are con- 
20 trolled by agent techniques, comprising inter alia a Terminal Agent (TA). 

10. Arrangement as claimed in any of claims 7-10, 
characterized in that in the telecom system domain there is 
provided one or more timers which are restarted each time and entry is 
25 accessed the setting of the timer deciding the maintenance of said entry, 
and that entries not associated with a timer is regarded as permanent en- 
tries. 



WO 98/45982 



PCT/NO98/00109 



1/5 




telecom system 



Services 



User 
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Figure 2 The Information object Term_Profile 
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Figure 3 The Terminal_Data object 
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Figure 5 A User_registration object containing the list of allowed 
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Figure 7 access control on the access to the telecom system 
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